Over 90% Of Cloud Services Used In Healthcare Pose Medium To High Security Risk

According to cloud security vendor Skyhigh Networks, more than 13% of cloud services used in healthcare are high‒risk and 77% are medium risk ‒ as measured across 54 different security attributes (like data encryption and "two factor" authentication).

As if to add emphasis to this exact point, risqué celebrity photos were hacked over the weekend in what is being rumored as a potentially broader attack on Apple's iCloud service (specifically the Photo Stream feature).

While cloud vendors have a general responsibility to encrypt data at rest and offer two‒factor authentication (iCloud does), they can't really dictate the use of important safety measures ‒ especially on the retail/consumer side. In the case of two-factor authentication, it's an extra, somewhat annoying step and the risks are often thought to be vague or low for casual consumer data. As a gentle reminder, if you haven't read Mat Honan's account of how he lost his digital life in one hour (August 2012 Wired), now would be a good time to get that chilling refresher.

Which also underscores healthcare's broader dilemma. On the one hand, cloud services can offer advanced technical solutions at an attractive price compared to on-premise hardware and software, but issues of privacy and security are also very different for healthcare. Recent statistics from Skyhigh Networks also serve to emphasize these concerns.

The recent breach at Community Health Systems (4.5 million patient records) could well be the tipping point in the on-premise versus cloud debate ‒ at least in healthcare. While the forensic analysis is still underway, it appears that the Heartbleed bug did play a leading role in the breach and that means open‒source software was a contributing factor to what is now the 2nd largest data breach in U.S. healthcare. I'm equally sure that CHS wasn't alone in the use of free open‒source software for this critical security component.

There's nothing inherently wrong with open‒source software, of course, but its use in healthcare for protecting patient records does make it higher risk because there is no software warranty of any kind. The pending class action lawsuit against CHS could well hinge on this one point because it could go to the heart of another legal phrase ‒ negligence. Should CHS (or really any healthcare entity) rely on open‒source software as a mission-critical component of web security in protecting patient records?

All of which highlights the broader issues around cybersecurity in healthcare.

The gap between offense and defense is growing and continues to favor the attackers. They only need one exploit or vulnerability whereas IT departments have to protect against the entire attack surface.

Cyber experts as a resource are in high demand ‒ and dwindling supply. This doesn't bode well for healthcare generally ‒ which has tended to downplay the importance of IT infrastructure and typically under-funds security specifically.

As evidenced by CHS, "bad actors" are no longer lone hackers for quick profit ‒ but are well organized "advanced persistent threats" that are often coordinated by large groups on behalf of entire countries (Russia, Ukraine, China etc..).

Leading software security vendor
Symantec offers these five elements of an "advanced persistent threat."

While there's no way to know for sure at this stage, I estimate the cost of the CHS breach at somewhere between $75 million and $150 million. Whatever the final amount, its relatively easy for a 31,000 bed hospital system (with a market cap of $6 billion) to absorb, but a large data breach could easily cripple a smaller system or facility. Even small ones have millions of patient records.

In that sense, the debate between on-premise and cloud solutions could well be coming to an end. Cloud solutions may well be the only way that large segments of the healthcare industry are able to address critical IT infrastructure issues like security. Healthcare today can't afford the talent or the resources to staff advanced security operations centers (SOC's), but they need the advanced protection that newer technology solutions can deliver.

That's where companies like Skyhigh Networks represent a potentially strong fit for healthcare. Founded in 2011 (with more than $66 million in venture funding to date), Skyhigh helps organizations to discover, analyze and control thousands of cloud services in use throughout an entire enterprise.

"Cloud technology is a logical imperative for healthcare because it offers compelling IT value across a wide range of services and solutions, but it also poses new security challenges and threats. We intuitively know that we can't eliminate all risk, so organizations across the healthcare spectrum need to take a proactive, risk-informed and actively monitored approach to leveraging all the cloud benefits while maximizing for the various attributes related to security." Rajiv Gupta - Founder, CEO of Skyhigh Networks

Unbreakable data security doesn't exist and isn't likely to appear in the foreseeable future. All we really have are varying degrees of sophisticated defenses in attempts to thwart increasingly sophisticated attacks. In healthcare, being able to afford the newer defense mechanisms and lower risk profiles is likely to include a wide range of cloud options. That could logically include relatively new ones like Skyhigh Networks.